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ABSTRACT 


Millions of users worldwide resort to mobile VPN clients to 
either circumvent censorship or to access geo-blocked con- 
tent, and more generally for privacy and security purposes. 
In practice, however, users have little if any guarantees about 
the corresponding security and privacy settings, and perhaps 
no practical knowledge about the entities accessing their mo- 
bile traffic. 

In this paper we provide a first comprehensive analysis 
of 283 Android apps that use the Android VPN permission, 
which we extracted from a corpus of more than 1.4 million 
apps on the Google Play store. We perform a number of 
passive and active measurements designed to investigate a 
wide range of security and privacy features and to study the 
behavior of each VPN-based app. Our analysis includes in- 
vestigation of possible malware presence, third-party library 
embedding, and traffic manipulation, as well as gauging user 
perception of the security and privacy of such apps. Our ex- 
periments reveal several instances of VPN apps that expose 
users to serious privacy and security vulnerabilities, such as 
use of insecure VPN tunneling protocols, as well as IPv6 and 
DNS traffic leakage. We also report on a number of apps 
actively performing TLS interception. Of particular con- 
cern are instances of apps that inject JavaScript programs for 
tracking, advertising, and for redirecting e-commerce traffic 
to external partners. 


1. INTRODUCTION 


Since the release of Android version 4.0 in October 2011, 
mobile app developers can use native support to create VPN 
clients through the Android VPN Service class. As opposed 
to the desktop context, where an app needs root access to 
create virtual interfaces, Android app developers only have 
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to request the BIND_VPN_SERVICE permission (for sim- 
plicity, the “VPN permission”) to create such clients. 

Android’s official documentation highlights the serious 
security concerns that the VPN permission raises: it allows 
an app to intercept and take full control over a user’s traf- 
fic [60]. Many apps may legitimately use the VPN permis- 
sion to offer (some form of) online anonymity or to enable 
access to censored content (84). However, malicious app de- 
velopers may abuse it to harvest users’ personal information. 
In order to minimize possible misuse, Android alerts users 
about the inherent risks of the VPN permission by display- 
ing system dialogues and notifications (60). A large fraction 
of mobile users may however lack the necessary technical 
background to fully understand the potential implications. 

The use of the VPN permission by mobile apps, many of 
which have been installed by millions of users worldwide, 
remains opaque and undocumented. In this paper, we con- 
duct in-depth analysis of 283 Android VPN apps extracted 
from a population of 1.4M Google Play apps. In our efforts 
to illuminate and characterize the behavior of VPN apps and 
their impact on user’s privacy and security, we develop a 
suite of tests that combines passive analysis of the source 
code (cf. Section 4) with custom-built active network mea- 
surements (cf. Section[5p. The main findings of our analysis 
are summarized as follows: 








e Third-party user tracking and access to sensitive An- 
droid permissions: Even though 67% of the identified 
VPN Android apps offer services to enhance online pri- 
vacy and security, 75% of them use third-party tracking 
libraries and 82% request permissions to access sensitive 
resources including user accounts and text messages. 


e Malware presence: While 37% of the analyzed VPN 
apps have more than 500K installs and 25% of them re- 
ceive at least a 4-star rating, over 38% of them contain 
some malware presence according to VirusTotal (57). We 
analyze the public user reviews available on Google Play 
for all the VPN apps to sense whether their users are aware 
of possible malicious activities in their apps. Our analysis 
reveals that only a marginal number of VPN users have 
publicly raised any security and privacy concerns in their 
app reviews. 


e Traffic interception modes: The hosting infrastructure 
of VPN apps, which is heavily concentrated in the USA, 


remains opaque for the end-user. 18% of the apps do not 
mention the entity hosting the terminating VPN server. 
Our network measurements also suggest that 16% of the 
analyzed apps may forward traffic through other partici- 
pating users in a peer-forwarding fashion rather than us- 
ing machines hosted in the cloud. This forwarding model 
raises a number of trust, security, and privacy concerns for 
participating users. Finally, 4% of the analyzed VPN apps 
use the VPN permission to implement localhost proxies 
to intercept and inspect user traffic locally, primarily for 
antivirus and traffic filtering purposes. 


e (Lack of) Encryption and traffic leaks: 18% of the 
VPN apps implement tunneling protocols without encryp- 
tion despite promising online anonymity and security to 
their users. In fact, approximately 84% and 66% of the 
analyzed VPN apps do not tunnel IPv6 and DNS traf- 
fic through the tunnel interface respectively due to lack 
of IPv6 support, misconfigurations or developer-induced 
errors. Both the lack of strong encryption and traffic leak- 
ages can ease online tracking activities performed by in- 
path middleboxes (e.g., commercial WiFi APs harvesting 
user’s data) and by surveillance agencies. 


e In-path proxies and traffic manipulation: 16% of the 
analyzed VPN apps deploy non-transparent proxies that 
modify user’s HTTP traffic by injecting and removing 
headers or performing techniques such as image transcod- 
ing. However, the artifacts implemented by VPN apps 
go beyond the typical features present in HTTP proxies. 
We identified two VPN apps actively injecting JavaScript 
code on user’s traffic for advertisement and tracking pur- 
poses and one of them redirects e-commerce traffic to ex- 
ternal advertising partners. 


e TLS interception: Four of the analyzed VPN apps com- 
promise users’ root-store and actively perform TLS inter- 
ception in the flight. Three of these apps claim providing 
traffic acceleration services and selectively intercept traf- 
fic to specific online services like social networks, bank- 
ing, e-commerce sites, email and IM services and analyt- 
ics services. 


Our results show that — in spite of the promises for pri- 
vacy, security and anonymity given by the majority of VPN 
apps — millions of users may be unawarely subject to poor 
security guarantees and abusive practices inflicted by VPN 
apps. However, this study has not answered several inter- 
esting research questions such as traffic discrimination 
and the detection of side-channels to extract additional pri- 
vate information from user’s phones. 


2. ANDROID’S VPN PERMISSION 


Google introduced native platform support for VPN 
clients through the VPN Service base class and its as- 
sociated BIND_VPN_SERVICE_ permission in Android 
version 4.0 (60). For simplicity, we will reference the 
BIND_VPN_SERVICE permission as the “VPN permis- 
sion”. 



































Vendor Custom Permission 

Cisco com.cisco.anyconnect.vpn.android. MODIFY_VPN 
Juniper com.juniper.permission.JUNIPER_VPN_ACCESS 

Samsung android.permission.sec. MDM_VPN 

KNOX android.permission.sec. MDM_ENTERPRISE_VPN 


Table 1: Custom VPN permissions for MDM apps. 











The BIND_VPN_SERVICE permission is a powerful 
Android feature that app developers can misuse or abuse. It 
allows the requesting app to intercept, manipulate and for- 
ward all user’s traffic to a remote proxy or VPN server of 
their choice or to implement proxies in localhost (93). 

Android’s VPN API exposes a virtual network interface 
to the requesting app and — if the developer configures cor- 
rectly the routing tables — routes all device’s traffic to it. 
Likewise, each write operation to the virtual interface in- 
jects a packet just like it was received from the external inter- 
face. As for any other Android permission, app developers 
must explicitly declare access to the VPN permission in the 
app’s AndroidManifest file [Z] but Android limits the 
creation and ownership of the virtual interface to only one 
app at a given time. 

Due to the exceptional security and privacy risks of al- 
lowing third-party apps to intercept all user’s traffic, An- 
droid generates two warnings to notify user’s whenever an 
app creates a virtual interface using the VPN permission: (i) 
a system dialog seeking users approval to create a virtual 
interface, and (ii) a system-generated notification that in- 
forms users as long as the VPN interface remains active (60). 
However, average mobile users may not fully understand, 
possibly due to the lack of technical background, the conse- 
quences of allowing a third-party app to read, block and/or 
modify their traffic. 


Custom VPN permissions: Android’s native VPN support 
has enabled proprietary VPN solutions for enterprise clients 
such as Cisco AnyConnect and Juniper Junos tech- 
nologies. Enterprise solutions, also known as Mobile De- 
vice Management solutions or MDM, implement their own 
tunneling protocols on top on Android’s VPN permission to 
secure and simplify remote access to enterprise or private 
networks. Samsung’s KNOX SDK is a different incar- 
nation of proprietary MDM solutions. In that case, Samsung 
takes advantage from it’s position as an Android OS vendor 
to completely replace Android’s VPN implementation at the 
firmware level with their own solution. 

Android’s permission model allows MDM providers to 
share their VPN technologies with other apps by defining 
custom permissions. These are listed in Table The re- 
questing app must declare the associated custom permission 
on its manifest and the app providing the proprietary tech- 
nology must be already installed on the device. In the case of 
Samsung’s KNOX-enabled devices, the app developer wish- 
ing to incorporate any KNOX feature in its app must first 
enroll on Samsung’s KNOX program and then request ac- 
cess to the proprietary SDK [44]. As a result, Android 
VPN apps without KNOX support may operate incorrectly 
on many Samsung devices. The security guarantees that ap- 


ply for the official VPN permission also apply for custom 
VPN permissions as the MDM solution is responsible to re- 
quest Android’s BIND_VPN_SERVICE permission. 














3. DISCOVERING VPN APPS ON 
GOOGLE PLAY 


This section describes our method for identifying and 
characterizing Android VPN-enabled apps on Google Play. 


3.1 Detection Method 


Identifying VPN-enabled apps on Google Play is not a 
trivial task. The list of permissions available on a given app’s 
Google Play profile does not necessarily contain the use of 
the VPN permission by the app. 

App developers can request the Android VPN permissions 
in their app manifest file in two different ways: they can 
request the VPN permission within the scope of the whole 
app or restrict its use to an specific activity or servicd!| us- 
ing the <activity> and <service> tags respectively. This 
subtle difference has an impact on any method aiming to de- 
tect VPN-enabled apps: when a developer declares the per- 
mission within the <service> tag, the VPN permission does 
not show up in the list of Android permissions available on 
Google Play. Consequently, in order to correctly identify 
VPN-enabled apps at scale — either those using Android’s 
official permission or any of the custom VPN permissions 
listed in Table fi]—. we must crawl Google Play to down- 
load each app’s executable and then decompile it to inspect 
their AndroidManifest file in detail. 

We rely on multiple tools to fetch each app’s metadata 
(e.g., app description, installs, developer, user reviews and 
app rating) and to download their executables. For free apps, 
we use Google Play Unofficial Python API [?] whereas for 
paid apps, we use Raccoon APK Downloader to obtain the 
binaries after paying their required fee (42). Finally, after 
having downloaded each app’s executable, we use ApkToo 
to decompile, extract and analyze each app’s source code 
and their AndroidManifest file. 

To increase our app coverage and maximize the num- 
ber of detected VPN apps, we implemented a Google Play 
crawler that uses two complementary seeds. First, we ob- 
tain the app ID (or package name) from the top 100 apps 
for four Google Play categories likely to contain VPN and 
MDM apps: tools, communication, business and productiv- 
ity. Second, we leverage Google Play’s search feature to find 
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apps containing VPN-related keywords like “vpn”, “virtual 
private network”, “security”, “censorship”, “anonymity” or 
“privacy” in their app description. Afterwards, our crawler 
fetches each app’s metadata and executables. Our crawler 
follows a breadth-first-search approach for any other app 


considered as “similar” by Google Play and for other apps 








! Android apps can be composed of multiple activities (i.e., app 
components that run on the foreground on a single screen and re- 
quire user interaction) and services (i.e., app components that per- 
form long-running operations in the background) (3). Permission 
requests can be limited to specific app components. 


“https://ibotpeaches.github.io/apktool 








ots # of apps # of apps 
App pricing model (N = 283) analyzed in sf] 
Free VPN apps with Free Services 130 130 
Free VPN apps with Premium Services 153 20 


Table 2: Number of VPN apps identified with our detection 
method. 
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Figure 1: Evolution of VPN-enabled apps’ availability on 
Google Play. 


published by the same developer. In total, this method has 
allowed us to survey 1,488,811 apps during a three week pe- 
riod in September 2015. 

Our method has allowed us to identify 283 free 
Android apps requesting the VPN permission in their 
AndroidManifest files. 153 of free VPN apps require 
the user to perform in-app purchases in order to use their 
online VPN services. We refer to such apps as “premium 
VPN apps” and they typically offer weekly, monthly, quar- 
terly and yearly subscriptions. In the case of paid apps, we 
relied on information available on the app description as sig- 
nals to identify potential paid VPN apps. This is the result of 
our inability to pay the fee for downloading the executables 
of each paid app listed on Google Play. This approach has 
allowed us to find 10 potential VPN paid apps. However, af- 
ter paying their fee to download their executables, only one 
of them actually requested the VPN permission. Therefore, 
we decided to exclude paid VPN apps from this study. 

Our dynamic network analysis (presented in Section 
covers the 130 free apps and 20 premium VPN apps. Un- 
fortunately, we could not inspect the entirety of premium 
VPN apps as most of them are full MDM solutions which 
require dedicated IT and cloud support. Table[2|summarizes 
the scope of our static and dynamic analysis. 


3.2 The Rise of VPN Apps 


This section studies the presence of VPN-enabled apps 
available for download on Google Play over time. Given 
that Google Play does not report the actual release date of 
the apps but their last update, we use the date of their first 
comment as a proxy for their release date. For 9 apps without 
any user reviews as of this writing, we can determine the 
approximate release date by their last update. 

Figure [I] shows the steady increase of VPN apps’ listed 
on Google Play since November 2011 (Android 4.0 release). 
Note that our analysis only considers apps listed on Google 
Play as of September 2015 so it excludes possible VPN apps 
removed from Google Play. During the 2-year period that 
spans between November 2011 and November 2013, the 
number of VPN apps increased ten-fold. 





App Category % of Apps (N = 283) 
VPN Clients 67 
Enterprise 10 

Traffic Optimizer 4 
Communication Tools 3 

Traffic filters 2 

Traffic logger 2 

Antivirus 1 

Tor clients 1 

Other 10 


Table 3: Manual classification of VPN apps by their purpose. 


The analysis reveals that a small group of MDM apps like 
Juniper’s Junos Pulse and Afaria were already listed on 
Google Play years before the release of Android v4.0 (rep- 
resented in the graph with the vertical line). Unfortunately, 
we cannot obtain the deprecated binaries of these apps for 
further inspection to report how they implemented (or not) 
their VPN solutions before Android provided native support. 
We speculate that they have relied either on users to manu- 
ally enter the VPN server on Android’s system settings or on 
users with rooted phones. 

During the preparations for the final manuscript on Au- 
gust 5, 2016, we noticed that 49 out of 283 analyzed VPN 
apps were no longer listed on Google Play either as a re- 
sult of Google’s vetting process, user complaints, or due to 
developer decisions. 


3.3 VPN App Classification 


VPN apps can provide a wide range of services to the 
user. Unfortunately, Google Play’s categories (e.g., tools and 
games) are too broad to capture the actual purpose of the app. 
In order to identify their actual intended functionality, two 
co-authors inspected and labeled each VPN app manually 
according to their Google Play app description into 9 cate- 
gories that we list in Table B] In case that an app advertises 
more than one functionality, we choose the most relevant 
one. We found no disagreements in the labeling process. 

67% of Android VPN apps claim to provide traditional 
VPN services (labeled here as “VPN clients”) including en- 
hanced security and privacy, anti-surveillance or tunnels to 
access geo-filtered or censored content. Note that we con- 
sider Tor clients (e.g., Orbot (37). Globus VPN and 
TorGuard VPN client (56}) as a separate category. The sec- 
ond most common category is enterprise MDM solutions 
(10% of apps) followed by traffic optimization tools (e.g., 
DashNet (9). 4% of apps) and communication tools (3% 
of apps) for tethering or for creating mesh networks and 


VLANs (typically for online gaming |32)). 

Antivirus software apps (Qihoo ee En Dr.Web Secu- 
rity Space (13). and TrendMicro’s Mobile Security & An- 
tivirus (29}) may also leverage the VPN permission to per- 
form traffic analysis (e.g., malware detection), to block ma- 
licious traffic and to securely forward user’s traffic through 
trusted servers when users connect through insecure or ques- 


tionable WiFi networks. Other uses of the VPN permis- 
sion are traffic filters and traffic loggers (e.g., NoRoot Fire- 


wall (33) and even apps for securing online payments (e.g., 
Fast Secure Payment [17]). 


4. STATIC ANALYSIS 


In this section, we analyze the source code for each VPN 
Android app using static analysis. In particular, we report 
on applications requesting sensitive permission analysis, the 
presence of tracking libraries in app’s decompiled source 
code and the presence of malware activity according to the 
online antivirus aggregator, VirusTotal] 


4.1 Permission Analysis 


We investigate how VPN-enabled apps request other An- 
droid permissions to access sensitive system resources. We 
exclude network-related permissions like Internet access 
which are inherent to any VPN client. 

Figure [2] compares the permissions requested by VPN- 
enabled apps with those requested by the top-1,000 free 
non-VPN Android apps] which we included for reference. 
We use the method-to-permission mapping provided by 
Au etal. to investigate the source code segments in- 
voking the methods protected by each Android permission. 
For instance, in the case of apps requesting the READ_SMS 
permission, we investigate apps’ calls to associated meth- 
ods such as preSendSmsWorker (a method used to send 
SMS which informs the user about the intended or wanted 
text) and handleSmsReceived (a method that handles 
formatting-related aspects in received SMS) in order to de- 
termine the actual use of the permission by the app. 

There are Android permissions that are more common 
on VPN apps than in other app categories. For instance, 
antivirus and MDM solutions request READ_LOGS per- 
mission to inspect other apps’ activities (2). However, 
we observe that standard VPN clients like DroidVPN 
and tiger VPN also request permission to read sys- 
tem logs. Android documentation flags this permis- 
sion as highly sensitive as any app developer may care- 
lessly misuse Android’s logging capabilities and (uninten- 
tionally) expose personal information (including passwords) 
to any other apps requesting it. Similarly, antivirus apps 
request READ_EXTERNAL_STORAGE permission to check 
the stored files for possible virus and malware activity. 

Many other permissions listed in Figure[2|may appear un- 
usual requirements for VPN apps. However, VPN apps may 
provide additional and richer features to their users beyond a 
typical VPN tunnel. For each case, we manually checked the 
legitimacy of these requests by inspecting the API calls ex- 
ecuted by the apps and checking the description for related 
functionalities without finding any evidence for deliberate 
abuse of granted permissions. For instance, we found that 
antivirus apps as well as spyware VPN apps (which we fur- 
ther investigate in Section|4.3) request the READ_SMS per- 
mission to read text messages and, in the case of antivirus 
apps, to scan them for possible malware presence. Similarly, 
apps requesting READ_CONTACTS incorporate functions in 
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VPN Apps Free # App ID Class Rating # Installs AV-rank 
# Trackers Premium Free All non-VPN Apps 1 OkVpn Prem. 42 IK 24 
0 65% 28% 33% 19% 2 EasyVpn]1 Prem. 4.0 50K 22 
1 13% 10% 8% 11% 3 SuperVP. Free 3.9 10K 13 
2 10% 10% 1% 15% 4  Betternet Free 4.3 5M 13 
3 12% 25% 13% 23% 5 CrossVpn [7| Free 4.2 100K 11 
4 2% 8% 4% 16% 6 Archie veh Free 43 10K 10 
>5 5% 18% 8% 17% 7 HatVPN [21] pi Free 4.0 5K 10 
a a a ee, 8 sFly Network Booster Prem. 4.3 1K 10 
Table 4: Distribution of third party trackers embedded in 9 OneClick VPN Free 43 1M 6 
VPN apps. 10 Fast Secure Payment (17) Prem. 4.1 SK 5 


the likes of blocking text and calls from specific phone num- 
bers or sharing features through SMS or email. 


4.2 Tracking Libraries in VPN Apps 


With the help of ApkTool, we examine the presence of 
embedded third-party libraries (in the form of external jar 
files) for analytics, tracking or advertising purposes in the 
source code of each VPN-enabled app. In order to identify 
which libraries are associated with tracking services, we use 
the manually curated list of 127 tracking and advertising li- 
braries compiled by Seneviratne et al. |97]. Therefore, we 
consider our results as a lower bound of third-party tracking 
libraries presence in VPN apps. 

Table [4] compares the number of trackers used by VPN- 
enabled apps with the presence of trackers in the reference 
set of 1,000 free non-VPN apps. 67% of the VPN apps em- 
bed at least one third-party tracking library in their source 
code. The use of tracking libraries in VPN apps is signif- 
icantly lower than in the top 1,000 non-VPN apps with an 
almost 81% of the latter having at least one embedded track- 
ing library. The fact that 65% of the premium VPN apps do 
not have any tracking library embedded (as opposed to only 
28% of the free VPN apps) suggests that premium apps do 
not rely as much as free apps on revenues from advertising 
and analytics services. 

Since most VPN apps intend to provide online anonymity 
(Section B3}, the lower presence of tracking libraries is ac- 
tually meaningful. However, we identified the presence of at 
least one tracking library in 75% of the free VPN apps claim- 
ing to protect users’ privacy. 8% of all VPN apps have more 
than five. In e two VPN apps (Flash Free VPN |18 [8] 
and Betternet E9), which combined have more than 6M 


Table 5: VPN Apps with a VirusTotal AV-rank > 5. 


installs, have the highest number of embedded tracking li- 
braries: 11 and 14 respectively. 

Figure B]ranks the top-25 popular trackers in all analyzed 
VPN apps. Google Ads and Google Analytics are the most 
popular trackers among our corpus of VPN apps. A closer 
examination at the long-tail of the distribution reveals how- 
ever that the least popular third-party tracking libraries in 
our reference set of 1000 apps are instead more common 
in VPN apps. For instance, VPN apps like SurfEasy_||53] 
and Ip-Shield VPN [26] integrate libraries like Nae es 
Appflood’|for monetizing their apps with targeted ads. 


4.3 Malware Analysis 


Malware components may be designed to circumvent a 
specific antivirus (AV) tool (105). As aresult, it is imperative 
to rely upon multiple AV scanners and datasets to effectively 
identify the presence of malware on mobile VPN apps. We 
leverage the capabilities offered by VirusTotal’s public API 
to automatize our malware detection process. VirusTotal is 
an online solution which aggregates the scanning capabili- 
ties provided by more than 100 AV tools, scanning engines 
and datasets. It has been commonly used in the academic 
literature to detect malicious apps, executables, software and 
domains [?, ?, ?]. 

After completing the scanning process for a given app, 
VirusTotal generates a report that indicates which of the par- 
ticipating AV scanning tools detected any malware activity 
in the app and the corresponding malware signature (if any). 
Given that a single scanning tool may produce false posi- 
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Figure 3: Top 25 third-party tracking libraries (x-axis) in VPN and non-VPN apps. 


tives 57), we rely on the “AV-rank” metric (i.e., the 
number of affiliated AV tools that identified any malware 
activity) to reason about the maliciousness of an app. The 
study by Arp et al. [?] considered as a valid metric for mal- 
ware presence on mobile apps an “AV-Rank" > 2. Instead, 
we increase the ‘AV-rank” to a value > 5 to set a more con- 
servative threshold for malware detection. 

38% of the analyzed VPN apps have at least one positive 
malware report according to VirusTotal but only 4% of them 
have an “AV-rank” higher than 5. Table [5] ranks the top- 
10 VPN apps by their AV-rank. For each app, we include 
their Google Play rating and the number of install for refer- 
ence. The malware signatures for those apps correspond to 
5 different type of malware: Adware (43%), Trojan (29%), 
Malvertising (17%), Riskware (6%) and Spyware (5%). 

OkVpn and EasyVpn, both implemented by the same app 
developer, incorporate Adware on their source code and both 
of them request the intrusive SYSTEM_ALERT_WINDOW 
permission which allows the requesting app to draw win- 
dow alerts (in various forms as in the case unwanted ads) 
on top of any other active app. sFly Network Booster, traf- 
fic optimization VPN app, provides accelerated, worldwide 
content access through its dynamic routing and cloud-based 
accelerating system. It incorporates Spyware and requests 
the privacy sensitive READ_SMS and SEND_SMS permis- 
sions to read users’ text messages and, potentially, send text 
messages to premium-rate numbers. OkVpn, EasyVPN, and 
sFly Network Booster are three of the 49 VPN apps that were 
not listed on Google Play as of August 2016 (Section 3.2). 

According to the number of installs of these apps, millions 
of users appear to trust VPN apps despite their potential ma- 
liciousness. In fact, the high presence of malware activity in 
VPN apps that our analysis has revealed is worrisome given 
the ability that these apps already have to inspect and ana- 
lyze all user’s traffic with the VPN permission. 




















4.4 User Awareness Analysis 


The previous subsection identified instances of VPN apps 
with malware presence. This section takes a user-centric per- 
spective to understand if they publicly report on their Google 
Play reviews any of the privacy and security issues which 
could be present on VPN apps. 

Our analysis reveals that VPN apps receive high user rat- 
ings: 37% of the VPN apps have more than 500K installs 
and 25% of them have at least a 4-star rating as shown in 
Figure[/4] We cannot distinguish whether Google Play’s pos- 
itive installs and reviews are organic or if they were acquired 
using paid services to promote app installs 


e.g., |http://liftoff.io 
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Figure 4: Distribution of app rating vs. installs per VPN app. 





Complaint Category % of negative reviews (IV = 4, 593) 
Bugs & battery life 30% 
Abusive permissions 0.5% 
Privacy concerns 0.3% 
Security concerns 0.4% 
Malware/fraud reports 0.2% 


Table 6: Classification of negative user reviews for the VPN 
apps with more than 1M installs in in Google Play. 


To better understand whether real VPN users publicly re- 
port any security or privacy concerns after installing and us- 
ing a given VPN app, we analyze (with manual supervision) 
4,593 app reviews with low ratings (i.e., one and two stars) 
for the 49 VPN apps with more than | million installs. Our 
reasoning to focus our analysis solely on negative app re- 
views is that users reporting concerning security-related is- 
sues will also provide a low app rating. 

We classify app reviews into 5 categories (listed in Ta- 
ble (6) that cover from performance concerns and bugs to 
privacy and security concerns. We exclude from our anal- 
ysis any reviews related with usability concerns. 30% of 
user complaints report bugs, crashes and the app’s negative 
impact on battery-life. Only less than 1% of the negative re- 
views relate to security and privacy concerns, including the 
use of abusive or dubious permission requests and fraudulent 
activity, for the 9 apps listed in Table [7] Five of the apps re- 
ported as potentially malicious by app users are also flagged 
as such by VirusTotal (summarized in Table [5) due to mal- 
ware activity (e.g., Easy VPN) and trojans (e.g., CrossVpn). 


Summary and takeaways. 
The increasing number of popular VPN apps available on 
Google Play and the apparent lack of user-awareness of the 









App Class Rating # Reviews # Installs AV-positive 
EasyOvpn Free 4.2 84,400 5M y 
VPN Free [58] Prem. 4.0 15,788 1M v 
Tigervpns 55 Free 4.1 36,617 1M v 


DNSet Prem. 4.0 21,699 500K 

CM Data Manager (6) Prem. 4.3 11,005 1M 

Rocket VPN Free 4.2 11,625 500K v 
Globus VPN [62 Free 4.3 14,273 500K 

Spotflux VP 50) Free 4.0 14,095 500K 
CyberGhost |8| Free 4.0 13,689 500K y 


Table 7: List of VPN apps, with 500K or more number 
of installs, considered as malicious or intrusive by users in 


Google Play reviews and by VirusTotal (AV-positive column 
with AV-Rank > 1). 






security and privacy risks associated with the VPN permis- 
sion indicate the urge to analyze in depth this unexplored 
type of mobile app. The average moble user rates VPN apps 
positively even when they have malware presence. Accord- 
ing to our study, only a handful of users has raised any type 
of security and privacy concern in their reviews. In Section|5] 
we will complement the insights provided by our static anal- 
ysis with a comprehensive set of active tests that aim to re- 
veal behavioural aspects of the VPN apps during runtime at 
the network level. 


5. NETWORK MEASUREMENTS 


In this section, we investigate the runtime and network 
behavior of 150 VPN apps. In particular we are interested in 
understanding how VPN apps handle user’s traffic. 

We structure our analysis to illuminate the following as- 
pects: (i) the traffic interception mechanisms implemented 
by each app (i.e., whether the app uses the VPN permis- 
sion to implement localhost proxies or to forward the traf- 
fic through a terminating end-point or another peer); (ii) 
the tunneling protocols implemented by each app as well as 
developer-induced misconfigurations which may cause traf- 
fic leaks; (iii) the presence of proxies and traffic manipula- 
tion techniques such as ad-blocking, JavaScript injection and 
traffic-redirection; and (iv) identify any possible occurrence 
of TLS interception. 

We use a dedicated testbed, depicted in Figure |5| com- 
posed of a smartphone that connects to the Internet via a 
computer configured as a WiFi access point (AP) with dual- 
stack support. The WiFi AP runs t cpdump to intercept all 
the traffic being transmitted between the mobile device and 
the Internet. This allows us to observe the traffic generated 
by each VPN app as seen by an in-path observer. 

We test individually each one of the 150 VPN apps under 
consideration. We could not fully automate our measure- 
ment efforts as one of the goals of our study is to understand 
and test the options offered by each VPN app in their GUI 
(e.g., egress point diversity and supported VPN protocols). 
Prior to each test, we also ensure that the previous app we 
experimented with has not modified the root certificate store 
and we reboot the device to enforce the complete renewal of 
the virtual interface. 

We run a set of purpose-built scripts (not only between 
the device and a server under our control but also to pop- 
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Figure 5: Our testbed and the 3 possible interception and 
forwarding modes for VPN apps: (1) local interception as 
a transparent proxy, (2) cloud-based forwarding through 
a VPN server, and (3) traffic forwarding through a partici- 
pating node (peer forwarding) or other participating nodes. 
Our instrumented WiFi access point (AP) has the ability to 
observe all the traffic generated by each VPN app. 


ular websites) and the ICSI Netalyzr tool for Android 
to generate traffic and to analyze the different network- and 
traffic-related aspects of VPN apps. All the tests were con- 
ducted over a proxy-free link at Data61/CSIRO (Australia) 
thus the observed traffic manipulations and middleboxes can 
only be attributed to the VPN apps and their online infras- 
tructure. Each subsection will describe in detail the tests 
used for each aforementioned analysis. The number of tests 
that we run per app varies with the configurability of the app 
(e.g., whether the user can select a server in a given country) 
and the diversity of IP addresses that we observe. Two peo- 
ple executed a total of 5,340 tests manually for three months 
and connected to all end-points mentioned in the GUI of a 
given VPN app. 


5.1 Interception and Forwarding Mecha- 
nisms 


App developers can leverage the VPN permission to im- 
plement localhost proxies (Case 1 in Figure |5) or to for- 
ward user’s traffic to an external machine. In the latter case, 
the egress point could be either a remote server hosted in 
the cloud (Case 2) or another participating node in a peer- 
forwarding fashion (Case 3). In this analysis we investigate 
the forwarding mechanism implemented by each VPN app 
according to the possible scenarios. 

Our detection method relies on the client opening TCP 
connections to a remote dual-stack server under our control 
after enabling the traffic interception mode for each app. Our 
server records the public IP address for each TCP connec- 
tion (i.e., the egress point) and obtains its associated com- 
plete domain name (FQDN). We leverage MaxMind’s GeoIP 
services to identify the geographical location of the 
egress point. Our geo-location analysis is therefore limited 
to MaxMind’s accuracy aa We also use Spamhaus 
Policy Block List (PBL) |49] records to identify which IP 
addresses are associated with residential ISPs [65]. Note 
that Spamhaus’ PBL records are populated directly by ISPs 


to improve spam detection so they can be considered as an 
accurate proxy to identify IP addresses associated with resi- 
dential end-users. 

After introducing the different datasets that we will lever- 
age to illuminate the forwarding mechanisms for each VPN 
app, we now define each forwarding mechanism as depicted 
in Figure|5] An app performs local interception if it operates 
as a localhost proxy without forwarding user’s traffic to a ter- 
minating VPN server (i.e., if the observed public IP address 
for all the TCP connections generated by our script matches 
the public IP address of our experimental setup). Otherwise, 
the VPN app implements external forwarding. For the latter 
case, we define two sub-categories: cloud forwarding if the 
VPN app uses a cloud provider to host their “terminating” 
VPN servers; and peer forwarding if the app leverages other 
participating users as egress points. 


Local-Interception. Only 4% of the analyzed VPN apps use 
the VPN permission to intercept user’s traffic in localhost 
or to implement transparent localhost proxies [93]. These 
VPN apps include antivirus software (e.g., Dr Web Security 
Space), t cpdump-like tools that operate on user-space (e.g., 
tPacketCapture) and privacy and connection firewalls that al- 
low users to generate connection logs or to block traffic at 
the flow- or app-level (e.g., NoRoot Firewall). Given that 
the traffic is intercepted locally and not forwarded through a 
VPN tunnel, our WiFi AP can identify side-connections gen- 
erated by such apps. Notably, we observed that Dr. Web Se- 
curity Space (an AV app) opens side-channel HTTPS flows 
to drweb.com and to 11t.sul®| To determine whether 
they are used to forward a copy of user’s traffic, we correlate 
the exogenous flow sizes to the flow size (9KB) to our local 
web server. We observe that for 11KB and 4KB of traffic 
to 11t.su and drweb.com, respectively. Unfortunately, 
given that these flows are encrypted, we could not investi- 
gate their payload to identify whether they are legitimate or 
not. For the remaining apps implementing local intercep- 
tion, we only observe traffic associated with their embedded 
third-party libraries for analytics and advertisement services. 


External forwarding. Figure|6|shows the cumulative distri- 
bution of the number of countries hosting egress points for 
the remaining 96% of VPN apps. We observe a significant 
difference in the geographical coverage between free VPN 
apps and premium VPN apps. The distribution suggests 
that VPN servers for premium VPN apps are more scattered 
around the globe than for their entirely free counterparts: 
80% of the free apps have their servers in less than 6 dif- 
ferent countries, while 63% of the premium VPN apps have 
egress points in more than 6 countries. In fact, at least 20% 
of premium VPN apps have their servers located in more 
than 50 different countries. 

The US hosts egress points for 77% of free and 90% of 
premium VPN apps respectively. France and the Nether- 
lands are in second and third position for free VPN-apps 
(31% and 27% respectively) whereas the U.K and Germany 





’We have noticed that Dr. Web appends the public IP address of 
our institution as a prefix to the domain 11t.su. 
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Figure 6: Distribution of the number of countries per VPN 
app. 


Hosting Provider Free Apps (N= 130) # Recorded IPs 








Digital Ocean 13% 74 
Time Warner Cable Internet 6% 8 
Amazon AWS 6% 10 
JSC ER-Telecom Holding 6% 8 
Saudi Telecom Comp. JSC 2% 3 
Hosting Provider Prem. Apps (N= 20) # Recorded IPs 
Leaseweb 20% 10 
Reliablehosting 10% 505 
Astute Hosting 10% 5 
Digital Ocean 10% 2 
IP-Only Networks AB 5% 3 


Table 8: Top 5 VPN hosting infrastructures (by ASN) used 
by free VPN apps and premium VPN apps. 


are second and third for premium apps (85% and 80% re- 
spectively) Notably, the top 3 countries contribute to 41% 
and 52% of the total number of VPN end-points for free and 
for premium VPN apps respectively. 

A significant fraction of VPN apps concentrate all of their 
egress points in a single country: 16% of free VPN apps lo- 
cate all of their end-points concentrated in the U.S., whereas 
10% of the premium VPN apps have all their egress points 
concentrated in The Netherlands. 

The other extreme is the VPN app HideMyAss which 
provides terminating VPN servers virtually in almost every 
country in the world (209 countries/governments according 
to MaxMind’s geolocation). If we look at the rank of hosting 
providers across VPN apps, we observe that Digital Ocea] 
(an American company) and Leasewelf!"|(a Dutch company) 
are the most common providers for free and premium VPN 
apps respectively. Table[8|shows the top 5 hosting providers 
by the number of VPN apps actively using their services. 

Peer forwarding enables VPN apps to increase the num- 
ber of egress points per country while reducing the costs of 
maintaining an online hosting infrastructure]'~| We attempt 
to identify apps implementing peer forwarding from the set 
of VPN apps with public IP addresses labeled as residential 
IPs by Spamhaus PBL. However, conducting this classifica- 
tion proves challenging (and prone to errors) as VPN ser- 
vices can deploy VPN servers in residential ISPs. This, un- 





? Given that VPN apps can have end-points in multiple countries 
therefore the percentages do not add up to 100%. 
‘https://www.digitalocean.com 

l https://www.leaseweb.com 

"For reference, the cost per month of the hosting providers can 
range from 5 USD/month (Digital Ocean) to almost 200 USD/- 
month (Astute Hosting). 








App Class # ASs Residential AS(%) Exogenous Traffic 
Open Gate 36) Free 54 70% 

VPN Gate [59] Free 40 60% 

VyprVPN Free 2 50% 

OneClick 35] Free 57 53% 

Tigervpns Free 6 16% vá 
StrongVPN Prem. 59 14% <“ 
Hola Free 41 5% 

HideMyAss Prem. 134 1% 

Private WiFi Free 30 7% 

VPNSecure Prem. 44 2% 


Table 9: VPN apps with egress points in residential ISPs. 
The last column indicates whether we have observed any 
possible exogenous flows for such apps. 


fortunately, limits our ability to make a clear distinction be- 
tween VPN apps implementing cloud- and peer-forwarding, 
or even hybrid approaches. 

6% of the free VPN apps and 15% of the premium VPN 
apps relay traffic through residential ISPs. However, due to 
the aforementioned challenges, instead of attempting to clas- 
sify each VPN app in these categories, we report in Table P] 
the percentage of ASes for which we identified a residen- 
tial egress point and the total number of ASes for each VPN 
app for reference. Out of these apps, only Hola confirms its 
community-powered nature (P2P) on its website. 

We inspect the packets captured by our WiFi AP to iden- 
tify the presence of exogenous flows which may have been 
forwarded through our device in a peer-to-peer fashion by 
the VPN engine for other participating users. While run- 
ning HideMyAss we observed traffic going to JP Morgan 
and LinkedIn. None of these domains seem to be associ- 
ated with any of the third-party libraries used by HideMyAss 
app. Unfortunately, we cannot entirely confirm the origin 
of these flows to assess whether they are endogenous to the 
app or not and our VPN session may have not lasted long 
enougi{'>| to capture traffic from other participating users. 
In the case of Tigervpns, we also identified flows to do- 
mains that no longer exist (e.g., for maxhane.com and 
qudosteam.com, DNS lookup returned NXDOMAIN and 
SERFAIL, respectively.). 

Nevertheless, the mere possibility of VPN apps following 
a peer forwarding model raises up some intriguing questions 
about their operational transparency and the security guaran- 
tees when forwarding traffic through (or on behalf of) other 
participating devices, not necessarily trustworthy. 


5.2 VPN Protocols and Traffic Leaks 


Ideally, the traffic forwarded through the VPN tunnel 
must be opaque to an in-path observer (e.g., Internet service 
provider, commercial WiFi APs and surveillance agencies). 
However, there is a wide range of tunneling protocols, each 
with different security guarantees, that can be used by app 
developers to forward traffic out of the device: from secure 
IPSec tunnels to basic TCP tunnels without any encryption. 

In addition to insecure tunneling protocols, developer- 
induced misconfigurations and errors may also undermine 








'3For each end-point, our session duration lasted for 180 seconds. 








Protocol Free Apps Premium Apps 
OpenVPN 14% 20% 
L2TP/IPSec 5% 0% 
SOCKS 4% 0% 
UDP:80 0% 10% 
n f TLS (TCP:443) 15% 10% 
Unidentified — DTLS (UDP:443) 13% 25% 
Other ports 30% 25% 
Unencrypted 19% 10% 


Table 10: VPN tunneling protocols observed by our WiFi 
AP for the analyzed VPN apps. 


user’s privacy and security. VPN app developers must ex- 
plicitly forward IPv6 traffic and provide the DNS settings at 
the time of creating the virtual interface programmatically. 
If not done carefully, DNS and IPv6 traffic may not be for- 
warded through the virtual interface PT]. In particular, DNS 
leakage can reveal user’s networking activity and interests. 
The VPN API also allows app developers to overwrite user’s 
DNS resolver with one of their choice. 

All these artifacts can become a serious harm for users try- 
ing to circumvent surveillance or seeking online anonymity 
by using VPN apps. To investigate those crucial aspects of 
VPN apps, we run a script that performs crafted HTTP re- 
quests (both over IPv4 and IPv6) as well as DNS lookups 
to our dual-stack server under our control. In this section, 
we analyze the pcaps captured by our in-path WiFi AP 
to investigate the presence of tunnels without encryption in 
the wild (i.e., we consider a tunnel implementation as unen- 
crypted if the payload of our custom HTTP requests is seen 
in the clear by our WiFi AP) and to identify potential IPv6 
and DNS leaks. We leverage the complementary features 
provided by a pcap parser and Bro’s comprehensive 
protocol analyzers (which provide support to identify some 
tunneling technologies) to inspect in detail the traffic 
collected for each app. 


VPN Tunnel Implementations. Table [10] shows the VPN 
tunneling protocols that we identified in the pcap traces gath- 
ered by our dual-stack WiFi AP. As mentioned earlier, we 
rely on Bro’s suite of protocol parsers to identify the ac- 
tual protocol used by each VPN apps. Unfortunately, Bro 
only provides full support for OpenVPN, L2TP/IPSec and 
SOCKS tunnels. For the remaining cases, we could not iden- 
tify their application-layer protocol. Instead, we report the 
transport-layer protocol and the destination port in use. Iden- 
tifying the actual protocol would have required us to decrypt 
the channel to inspect the payload. 

Table [10|reports the different tunneling protocols that our 
method allowed us to identify. We observe that OpenVPN 
is the most popular tunneling technology both for free and 
premium apps (14% and 20% respectively). However, many 
VPN apps also use some tunneling technology over TLS and 
DTLS [?]. Of particular concern are the 19% and 10% of 
free and premium apps using basic TCP tunnels (also known 
as “port forwarders”) and insecure HTTP tunnels [73] . As 
our WiFi AP, any in-path middlebox could inspect the pay- 
load for those apps in the clear. Therefore, the VPN apps us- 
ing tunneling protocols without encryption are not protect- 


ing their user-base from online surveillance and WiFi APs 
harvesting user’s data. 


IPv6 and DNS leaks. We observe that 84% of the analyzed 
VPN apps do not route IPv6 traffic through the VPN tun- 
nel. Moreover, 66% of the VPN apps do not forward DNS 
traffic through the VPN tunnel so any in-path observer can 
monitor the DNS networking activity of the user. IPv6 and 
DNS leaks can ease user monitoring and censorship. Conse- 
quently, VPN apps like HideMyAss and VPNSecure which 
claim to provide security and anonymity are not effective 
against surveillance and malicious agents. Traffic leaks can 
be the result of intentional design decisions, lack of IPv6 
support or even the result of developer-induced errors when 
configuring the routing parameters of the VPN app. Unfor- 
tunately, we cannot identify the root cause for such artifacts. 


DNS redirection. For each one of the DNS lookups that we 
perform, we also check whether the IP address of the DNS 
resolver matches the one of our configured resolver’s IP. No- 
tably, 55% of the free apps (and 60% of premium apps) redi- 
rect user’s DNS queries to Google DNS whereas 7% of free 
and 10% of premium VPN apps forward DNS traffic to their 
own DNS resolvers. In the latter case, users may be vulner- 
able to content filters and other DNS artifacts implemented 
by the DNS resolver such as traffic-redirection [103]. We 
have not further investigated the presence of traffic blockage 
or redirection mechanisms at the DNS level. 


5.3 Traffic Manipulation 


In-path proxies allow VPN services to gain control over 
users traffic and to manipulate traffic on the fly ?, 2]. 
Moreover, many proxy features can provide an economic 
benefit for ISPs and network providers as in the case of 
HTTP header injection [?] or traffic redirection for adver- 
tising purposes [103]. 

We leverage the comprehensive network troubleshoot- 
ing tool Netalyzr for Android to identify in-path flow- 
terminating proxies at the TCP level and, in the case of 
HTTP proxies, how they interfere with user’s traffic. In a 
nutshell, Netalyzr controls both client and server side and 
crafts packets and HTTP requests in a way that would allow 
identifying non-transparent proxies along the path [?]. We 
refer the reader to Netalyzr-related bibliography for further 
implementation details 2, [102]. 

We extend the insights provided by the Netalyzr tool with 
custom-built tests that will allow us to identify VPN apps 
implementing techniques such as ad-blocking, JavaScript- 
injection for advertising and analytics purposes [?, [79], and 
traffic-redirection (i.e., redirecting users traffic to third party 
advertising partners). In particular, we use two techniques to 
identify such proxy manipulations: First, we investigate do- 
main mismatches between the DNS request and the service 
ultimately delivering the content using reverse DNS (103). 
Second, we investigate content modifications for a web- 
site completely under our control, seven e-commerce 
websites (alibaba.com, ebay.com, target.com, 
bestbuy.com,overstock.com, newegg.com, and 
macys.com) and for the top-30 websites in the US, China, 
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Figure 7: Distribution of in-path TCP proxy deployment per 
port. 


and Europe according to Alexa’s rank [?]. As we demon- 
strate in one of our previous research efforts, the JavaScript 
code for two or more simultaneously accessed DOM trees’ 
elements (e.g., ads) belonging to the same website remain 
identical despite noticeable differences in the DOM tree el- 
ements [81]. This feature present in today’s websites allows 
us to identify possible JavaScript injection by comparing the 
DOM trees for all selected websites before and after testing 
each VPN app. We use Selendroid to fetch the rendered 
HTML source and extract the JavaScript as well as the DOM 
trees for each site. 


In-path Proxies. The Netalyzr tests failed systematically 
for 34% of the analyzed VPN apps. Unfortunately, we do 
not have enough information to explain if such failures are 
caused by VPN app behavior, app bugs or if they are the 
result of traffic policies implemented by the VPN provider as 
Netalyzr generates traffic resembling BitTorrent which may 
be blocked by the VPN provider. We acknowledge it as a 
limitation of our tests to determine proxies in 34% of the 
analyzed VPN apps. 

For the remaining 66% of VPN apps, Netalyzr results re- 
vealed the presence of flow-terminating proxies for multiple 
TCP ports as shown in Figure [/| According to the figure, 
for every port we study, in-path proxies are more common 
on premium VPN apps than in their free counterpart. We in- 
spect app descriptions on Google Play store and observe that 
only 18% of the analyzed 66% apps provide such proxying 
as part of their stated purpose. The rest of the apps imple- 
ment proxying as additional functionality. Nevertheless, we 
detected the presence of general-purpose proxies (i.e., prox- 
ies listening in all the ports tested) in 8% and 15% of free 
and premium VPN apps respectively. Given that free VPN 
apps may implement peer forwarding to redirect user’s traf- 
fic and the lower number of free VPN apps with premium 
services that we actively analyzed, in-path middleboxes and 
proxies may be less common in such scenarios. 

In-path proxies may have additional negative effects on 
user’s traffic which are beyond the scope of this study. Many 
of them may have their own particular or incomplete inter- 
pretation of transport-layer protocols |102]. In the case of 
HTTP proxies, Netalyzr test revealed that 47% and 55% of 
free and premium VPN apps actively modify HTTP traffic 
by default. Some proxy artifacts may have a negative impact 
on data fidelity and user’s browsing experience as in the case 
of techniques like non-HTTP traffic filters over port TCP:80 
(15% of VPN apps), HTTP body or header manipulations 





Website Input Point Partner Network (click event) Referral 
alibaba.com  anchorfree.us/rdr.php http://www.dpbolvw.net/click-7772790- 12173 149-1427959067000 NA 
ebay.com anchorfree.us/rdr.php —_http://api.viglink.com/api/click ?key=4372c7dabb08e4e38d97c4793cf6edb3 —_ anchorfree.us/contentdiscovery2 


Table 11: HotspotShield redirects user traffic to alibaba.com and ebay.com through its partner networks Conversant 
Media and Viglink respectively. In the case of target.com, bestbuy.com, overstock.com, newegg.com and 


macys.com we observed re-directions to Conversant Media. 


(14% of VPN apps), and image transcoding (4% of VPN 
apps). 


Ad-Blocking and Tracker-Blocking. Two of the analyzed 
VPN apps actively block ads and analytics traffic by default 
on our tested websites: Secure Wireless and F-Secure Free- 
dome VPN. The apps did not explicitly mention ad-blocking 
feature in the Google Play store listing 4] An analysis of 
the decompiled source code, using ApkTool, revealed that F- 
Secure Freedome VPN app blocks any traffic coming from 
a pre-defined list of domains associated with web and mo- 
bile tracking including Google Ads, DoubleClick, and 
other popular tagging/analytics services such as Google Tag 
and comScore. However, blacklist-based ad blocking may 
affect the functionality of the Webpages and impairs user 
experience 2). Specifically, F-Secure Freedome VPN 
blocks JavaScript code associated with nytimes.com’s 
event “TaggingServices” which, as a result, prevents user 
access and interaction with embedded relevant video con- 


tent [81]. 


JavaScript Injection. We identified two free VPN apps 
(VPN Services HotspotShield by AnchorFree and WiFi 
Protector VPN (64) actively injecting JavaScript codes us- 
ing iframes for advertising and tracking purposes. Both 
apps claim to safeguard user privacy and to provide security 
and anonymization (cf Section |3.3). However, in the case 
of AnchorFree, they also provide advertising services BA. 
Our static analysis of both apps’ source code revealed that 
the actively use more than 5 different third-party tracking 
libraries. The developer team behind WiFi Protector VPN 
corroborated our observations and stated that the free version 
of its app injects JavaScript code for tracking and displaying 
their own ads to the users. 


Traffic Redirection. AnchorFree’s VPN app Hotspot- 
Shield performs redirection of e-commerce traffic to 
partnering domains. When a client connects through 
the VPN to access specific web domain] the app 
leverages a proxy that intercepts and redirects the HTTP 
requests to partner websites with the following syntax: 
As a re- 


sult, user’s traffic is relayed through two organiza- 
tions before reaching alibaba.com: AnchorFree and 
dpbolvw.net, a domain owned by valueclick.com 









Contrary to Google Play listings, F-Secure Freedome VPN 
mentioned its ad-blocking feature on its webiste, https://www.f- 
secure.com/. 

‘During our experiments redirection happened exclusively 
for websites categorized as e-commerce sites such as 
alibaba.com. 


(or Conversant Media, an online advertising company[6}. 
Table [T] contains two samples of such requests. Our tests 
also identified a second partner: Viglinl””| According 
to AnchorFree’s website, the app provides “shielded 
connections, security, privacy enhancement for individ- 
uals and small businesses” and an “ad-free browsing” 
environment [24]. 


5.4 TLS Interception 


VPN apps are in a privileged position to perform TLS in- 
terception [101]. They can compromise the local root cer- 
tificate store of the device by injecting their own self-signed 
certificates using Android’s KeyChain API [?]. Once a cer- 
tificate is installed on the device, the app can intercept the 
TLS session establishment and generate “legit” certificates 
— verifiable by the self-signed root certificate injected on 
the trusted certificate root store — on the fly [101]. To limit 
potential new venues for abuse, Android requires user’s con- 
sent to install root certificates and it shows an additional 
system notification that informs the user that a third-party 
can monitor their secure traffic. Only tech-savvy users may 
be able to fully understand the security implications of in- 
stalling a root certificate. 

We instrumented our Android device with OpenSSL so 
that we can capture a copy of the SSL/TLS server certifi- 
cate when accessing more than 60 popular services operat- 
ing over SSL including HTTPS, SMTP over TLS, and POP3 
over TLS. The services reached in our test include diverse 
and popular services like Google, Gmail, Facebook, Twit- 
ter, Skype, banking services, CDNs, analytics services and 
e-commerce sites, many of which are associated with mobile 
apps implementing security countermeasures such as certifi- 
cate pinning [76] |45]. 

We validated each server certificate against the ICSI Cer- 
tificate Notary to identify possible cases of TLS interception: 
3% of the TLS sessions provided certificates for which the 
ICSI notary could not establish a valid chain to a root cer- 
tificate from the Mozilla root store. By inspecting manually 
each certificate, we identify 4 free VPN apps (developed by 
3 different app developers) that actively intercept TLS traffic 
by issuing self-signed certificates as shown in Table[12| Two 
of the apps implementing TLS interception, DashVPN and 
DashNet, are implemented by the company ActMobile 

A detailed inspection of the domains for which we 
recorded self-signed certificates, revealed that only the app 
Packet Capture performs TLS interception indiscriminately 
for all domains even if the apps perform cert pinning. The 
other apps, — Neopard, DashVPN and DashNet all of which 
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VPN app CA 


Packet Capture Packet Capture GUI 100K 
ActMobile 100K 


Dash VPN 

DashNet |9 ActMobile 10K 

Exalinks Neopard Exalinks Root Privacy Policy 10K 
Table 12: VPN apps performing TLS interception, the CA 
signing the forged certificates and if the apps explicitly in- 


form the user about TLS interception practices in their GUI 
or in their privacy policy. 


User-warning # Installs 





claim to provide traffic acceleration — target specific ser- 
vices as reported in Table [13] more inclined towards email 
services, social networks search engines and IM. This be- 
havior may be a consequence of the nature of the apps and 
the intent of the online services that they aim to optimize. 


Packet 


Domain (PORT) Capture 


Neopard DashVPN DashNet 





google-analytics.com 
mail.google.com 
mail.yahoo.com 
maps.google.com 
orcart.facebook.com (8883) 
play.google.com 
www.akamai.com 
www.alcatel-lucent.com 
www.amazon.com 
www.avaya.com 
www.bankofamerica.com 
www.chase.com 
www.cisco.com 
www.ebay.com 
www.facebook.com 
www.fring.com 
www.gmail.com 
www.google.co.uk 
www.google.com 
www.hotwire.com 
www.hsbe.com 
www.ibm.com 
www.icsi.berkeley.edu 
www.linkedin.com 
www.outlook.com 
www.qq.com 
www.seagate.com 
www.simple.com 
www.skype.com 
www.taobao.com 
www.tripadvisor.com 
www.twitter.com 
www.viber.com 
www.yahoo.com 
www.youtube.com 


COG TTT CeCe TT Te LeCCLC ETT TTT TT teCCee 
WANNA SANNA ASA SAAN NERA 
SOCCTIC TC COCCO Te CCCCCCTICC TE TO TCCGQ 
SAAS SA SSAA SAAS SS 


Table 13: Intercepted domains per VPN app. The list only 
prints the TCP port for those different than 443. 


We manually inspected the app’s GUI to check if the apps 
inform users about the purpose of performing TLS intercep- 
tion and what TLS interception implies. Packet Capture sup- 
ports TLS interception (as an opt-in feature in the app) in 


order to expose TLS traffic to its users. Likewise, Neopard, 
a web acceleration app, also notifies users about the purpose 
of performing TLS interception in order to optimize traffic. 
Their privacy policy (April 2016) informs users about 
TLS interception and lists “perform mobile usage reviews 
for market studies” as one of the purposed of their data col- 
lection process. In the case of Dash VPN and DashNet, none 
of them inform users about the purpose of performing TLS 
interception at all. 


Summary and takeaways. 

Our analysis of VPN apps at the network level has re- 
vealed that the majority of VPN apps are not transparent 
enough about how they handle user’s traffic. Despite the 
promises for security enhancement and online anonymity, 
VPN apps may forward user’s traffic through other partici- 
pating nodes following a peer (e.g., Hola) thus opening in- 
teresting questions about the trustworthiness of the egress 
points and the security guarantees for users forwarding traf- 
fic for others. 

Our analysis has also revealed an alarming 18% of VPN 
apps that implement tunneling technologies without encryp- 
tion as well as 84% and 66% of apps leaking IPv6 and DNS 
traffic. As a result, these apps do not protect user’s traffic 
against in-path agents performing online surveillance or user 
tracking. We inspect app descriptions on Google Play store 
and observe that 94% of the IPv6 and DNS leaking apps 
claim to provide privacy protection. Such traffic leaks may 
be associated with developer-induced errors, lack of support 
or even misconfigurations. 

Finally, we have also identified abusive practices in our 
corpus of VPN apps such as JavaScript injection for track- 
ing and advertising purposes, as well as e-commerce traffic 
redirection to affiliated partners and TLS interception. Only 
one of the apps implementing these practices (i.e, Packet 
Capture performing TLS interception) actually inform the 
users about the presence of such artifacts. 


5.5 Developers’ responses 


We contacted and shared our findings with the developers 
of each of the apps we observed as involved in any of the fol- 
lowing: JavaScript injection, traffic redirection, ad-blocking 
and tracker-blocking, exogenous flow, peer-forwarding user 
traffic, and TLS interception. We also contacted app devel- 
opers of apps requesting sensitive permissions, apps that are 
negatively reviewed by users, and the ones with embedded 
third-party tracking libraries. We also contacted apps which 
our tests revealed as possibly containing malware in their 
APKs. 

Amongst the two apps (WiFi Protector and HotspotShield 
VPN) that our tests identified as performing JavaScript injec- 
tion, WiFi Protector confirmed our findings and stated that 
the free version of their app injects JavaScript code to track 
users and to show their own ads. HotspotShield VPN, which 
we identified as also performing traffic redirection, has not 
responded to our correspondence. 

The developer behind F-Secure Freedome VPN, we found 
that it blocks third-party ads and trackers, confirmed our 


findings and elaborated on how they construct their black- 
lists for third-party trackers- and ads-blocking. The devel- 
oper did not respond yet to our inquiries about the crite- 
ria used to build the blacklists. We have not received any 
response from Secure WiFi that our tests also identified as 
performing ad-blocking. 

We received responses from only three developers of the 
apps that we observed implementing peer-forwarding of user 
traffic. VyperVPN and VPNSecure confirmed that they have 
some of their end-points located in residential ISPs as they 
may rely on third-party data-centers for hosting their ser- 
vices. Hola’s developer confirmed our findings and explic- 
itly mentioned Hola’s peer-forwarding mechanism. Contacts 
from other apps detailed in Table [9] have not yet, as of the 
time of writing of this paper, responded to our requests for 
comments or feedback. 

Neopard confirmed that they whitelist the domains for 
which they can optimize traffic and asked for feedback about 
how to increase their operational transparency and usability. 
ActMobile, initially, asked for further information about the 
purpose of this study and who has commissioned and later 
on, acknowledged our findings, confirmed that they disable 
the default TLS-interception functionality in both of the apps 
(DashVPN and Dashnet). They also reported that, in the 
new version of the apps, they ask for user consent, explic- 
itly in the apps’ GUIs, to install and to enable the ActMo- 
bile’s certificates for TLS-interception and traffic accelera- 
tion, respectively. We have not received any response from 
the developer behind Packet Capture that our tests identified 
as performing TLS-interception. 

Only one of the apps’ developers, explicitly discussed 
in Section responded to our findings and confirmed 
that tiger VPN requests sensitive READ_LOG permission to 
record and to use it for troubleshooting purposes. They 
also confirmed that, in the connection log collected via 
READ_1LOG permission, they collect users’ information such 
as end-points’ IPs, wireless (mobile data connectivity (3G, 
4G, and LTE) or WiFi) connectivity, and error messages. 

The developer behind Ip-shield VPN that we identified as 
embedding less-popular tracking libraries such as Appflood 
for targeted ads argued that the Appflood was the best choice 
to monetize the app. The developer also revealed plans to 
update ad-free version of Ip-shield VPN on Google Play. 

The rest of the developers of the apps with possibly con- 


taining malware (cf. Section ae that are negatively 
4.4 








reviewed by users (cf. Section |4.4), apps that are embed- 
ding third-party tracking libraries (cf. Section |4.2), and the 
one with exogenous traffic flows (cf. Section S nave not 
yet, as of the time of writing of this paper, responded to our 
findings. 


6. LIMITATIONS 
WORK 


Our method to identify and characterize VPN apps on 
Google Play presents several limitations, many of which are 
inherent to static and dynamic analysis [6]. The first lim- 
itation is app’s coverage: our study is limited to Android’s 


AND FUTURE 


free Google Play apps and excludes paid apps, iOS apps and 
apps from alternative app stores. We also rely on a Google 
Play crawler to extract our corpus of VPN-enabled apps that 
might restrict the app coverage of our study which may miss 
apps that intentionally (or inadvertently) hide their use of 
the VPN permission. Although our apps crawler aims to 
capture as many VPN-enabled apps as possible, we stress 
that our goal is to provide an analysis of the security and 
privacy issues of a representative sample of VPN-enabled 
apps from the Google play store. Second, this paper does 
not consider Android apps requesting root access on rooted 
phones to intercept user traffic via native commands such as 
tcpdump or OpenVPN. Investigating apps falling in this cat- 
egory would require conducting a computational- and time- 
expensive static analysis. Third, we do consider runtime 
analysis of third-party tracking libraries and all sensitive per- 
missions of VPN apps. Determining what an app do with 
sensitive permissions such as READ_LOG, READ_SMS, and 
SEND_SMS and what type of information will third-party 
tracking libraries collect would require fine-grained system- 
and network-level trace and traffic analysis. 

Moreover, we identify apps implementing peer forward- 
ing from the set of VPN apps with public IP addresses la- 
beled as residential IPs by Spamhaus PBL. Given that VPN 
services can deploy VPN servers in residential ISPs and 
Spamhaus classification is prone to error, our analysis of 
peer forwarding may not be accurate. We consider it as a 
limitation and one possible extension of the work in this pa- 
per would be to strengthen our analysis of peer forwarding 
by (i) extending the tests duration to enable tracking of peers 
(running suspected VPN apps); and (ii) analyzing the traf- 
fic flows of an app simultaneously running on two or more 
mobile phones to determine if they forward traffic for each 
other. 

Likewise, our method falls short to analyze the presence 
of session timeouts and apps’s ability to recover from a loss 
of connectivity. These dynamics may cause user traffic to 
be exposed in the clear to any in-path middlebox for a short 
period of time. 

This paper provides a first detailed analysis of VPN- 
enabled apps but it also leaves many open questions beyond 
the scope of our analysis. Aspects such as possible traffic 
or device-location discrimination practices or the use 
of VPN apps as honeypots to harvest personal information 
have not been addressed in this study. In addition, reasons 
behind inadequacy of app actual behavior and terms of use 
or the the identification of side-channels for the observed 
data-exfiltration have been left as pending questions. 














7. RELATED WORK 


Several studies highlighted the privacy risks associated 
with Android apps over-requesting Android permissions for 
third-party tracking, advertising and analytic services [99 
using techniques like static analysis 
, taint analysis (75} [104], and OS modifications [82 
99| [80]. Previous research also adapted techniques for 


malware detection such as signature analysis 


and anomaly detection to the mobile context in 


order to identify potential malicious activity on mobile apps. 

Several research efforts leverage Android’s VPN permis- 
sion to accurately characterize Android’s traffic and identify 
private data leakage inflicted by mobile apps {100}. 
More related to studying VPN apps, the study conducted by 
Perta et al. is perhaps the closest one to our analysis. 
The paper provides a manual analysis of 14 popular VPN 
services and includes a study of their their mobile clients 
identifying developer-induced bugs and mis-configurations 
that lead to IPv6 and DNS leaks. Our paper provides a sys- 
tematic and thorough security and privacy analysis of An- 
droid mobile apps employing the VPN permission. The 
study by Vallina-Rodriguez et al. characterized Android’s 
root certificate store using data provided by Netalyzr for An- 
droid tool [TOT]. The study revealed how VPN-enabled apps 
could perform transparent TLS interception after compro- 
mising the root certificate store. 

Finally, Appelbaum et al. identified security vulnerabili- 
ties on commercial and public online VPN services [66]. A 
survey conducted by Khattack et al. on VPN usage across 
Pakistani Internet users reported that 57% of the partici- 
pants used SSL-based VPN software to access YouTube con- 
tent (84). Our paper in turn, presents a method to systemat- 
ically identify and analyze security and privacy aspects of 
VPN-enabled apps on Android-based app stores. The impli- 
cations of our analysis span to other areas such as censorship 
analysis and network measurements that leverage VPN ser- 
vices to penetrate different countries and ISPs. 


8. CONCLUSIONS 


Android app developers benefit from native support to im- 
plement VPN clients via the VPN permission to provide cen- 
sorship circumvention, support enterprise customers and en- 
hanced online security and privacy. However, despite the 
fact that Android VPN-enabled apps are being installed by 
millions of mobile users worldwide, their operational trans- 
parency and their possible impact on user’s privacy and se- 
curity remains “terra incognita” even for tech-savvy users. 

In this paper, we presented a number of static and dy- 
namic methods that allowed us to conduct in-depth analy- 
sis of VPN-enabled apps on Google Play. We investigate 
from the presence of tracking services and malware on VPN 
app binaries to artifacts implemented by these apps at the 
network level. Our comprehensive tests allowed us to iden- 
tify instances of VPN apps embed third-party tracking ser- 
vices and implement abusive practices such as JavaScript- 
injection, ad-redirections and even TLS interception. 

The ability of the BIND_VPN_SERVICE permission to 
break Android’s sandboxing and the naive perception that 
most users have about third-party VPN apps suggest that it 
is urging to re-consider Android’s VPN permission model to 
increase the control over VPN clients. Our analysis of the 
user reviews and the ratings for VPN apps suggested that the 
vast majority of users remain unaware of such practices even 
when considering relatively popular apps. 
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